Transcription
ADMINISTRATIVE POLICYSubject:Information SecurityPage1 of 5Policy #Version: 1.0Title:Risk ManagementRevision of:New PolicyEffective Date:11/1/17Removal Date:I.PURPOSEThis policy formally establishes the information security risk management program andoversight for the Northwestern University (NU) Feinberg School of Medicine (FSM). Thescope of this policy includes regular determination of prioritization and implementation ofsafeguards or transfer or acceptance of risk. The outcome of risk management is to ensureFSM as part of NU is operating with an acceptable and agreed to level of risk.II.PERSONS AFFECTEDNU Feinberg School of Medicine Dean’s Office Administration, NU and FSM IT leadership,NU and FSM compliance and NU Risk Management.III.POLICY STATEMENTInformation security risk management covers all of FSM information resources, whethermanaged or hosted internally or externally. The risk management process will include riskcategorization, risk analysis, risk remediation and risk monitoring.Items for discussion within the risk management process will be derived from a number ofsources, including but not limited to, external security technology alerts and notifications,evolution of technology, changes in federal and state regulations, changes in environmentalfactors and items submitted from those listed in Persons Affected.Documentation of potential risks and assessment of those risks will be compiled andmaintained in a Risk Registry as defined by the Procedure.University and FSM IT leadership will convene regularly as the FSM IT Steering Committeeto determine the disposition of potential risks as defined by the Procedure. The charge of theFeinberg Information Technology Steering Committee (FSM IT Steering Committee) for thispolicy is defined in Appendix A.
Title:Risk Management PolicyIV.Page2 of 5Policy #Version: 1.0PROCEDURE STATEMENTRisk CategorizationInformation resources are categorized based on the sensitivity of data, impact from loss ofdata availability, and potential risk exposure from technical vulnerabilities and lack of userknowledge of policy and accepted data handling practices.Security controls to minimize threats and manage risks are based upon the following securitycontrol framework:HIPAA Privacy Rule, Security Rule, HITECHCombined Regulation Text of All Rules (HHS HIPAA)National Institute for Standards and Technology (NIST)NIST SP 800-30 Rev. 1, Guide for Conducting Risk AssessmentsNIST SP 800-53r4 Security and Privacy ControlsNIT HIPAA/ISO and ISO 27001/2 Information Security GuidanceRisk AnalysisThe risk analysis process may consider: Ongoing identification and prioritization of threats and vulnerabilities in the technicalenvironment and the impact on data protection.Technical upgrade/changes to the environment.Emerging threats resulting from the evolution of technology.Federal and state regulatory impact.Compensating controls implemented via policy and/or technology.New policy requirements from external collaborators.Learned risks from security incidents.Risk determination will consider the above factors and apply the likelihood of occurrence andpotential impact as defined in NIST SP 800-30 Rev. 1, Guide for Conducting RiskAssessments. Risks expressed as High, Medium and Low, defined as follows: High: There is strong need for corrective measures. An existing system may continue tooperate, but a corrective action plan must be put in place as soon as possible.Medium: Corrective actions are needed and a plan must be developed to incorporate theseactions within a reasonable period of time.Low: Corrective actions may still be required but the organizations decides to accept therisk.
Title:Risk Management PolicyPage3 of 5Policy #Version: 1.0Risk RemediationRisk remediation will be derived the risk analysis and consider the following options: Risk elimination, mitigation or reductionRisk avoidanceRisk acceptanceRisk transferenceRisk MonitoringRisk monitoring processes may include: Routine general risk assessments at least yearly.Daily monitoring of external security technology alerts and notifications.Vulnerability and penetration testing.Assessment of impact from technology changes and upgrades.Evaluation of new/revised application systems.Data security plan reviews and audits.Changes of federal and state laws and regulations, industry standards and Universitypolicies.Risk RegistryThe risk registry will be updated monthly by the FSM CISO with new potential risks andupdates on remediation efforts.The FSM IT Steering Committee will agreed upon the presented risk analysis, riskprioritization and desired remediation plans. The Committee may also indicate revisions tothe content and format of the Registry.V.POLICY UPDATE SCHEDULE:Policy review to occur one year after initial implementation and every three years thereafter.VI.REVISION HISTORY:11/1/17 – New policy effective.
Title:Risk Management PolicyVII.Page4 of 5Policy #Version: 1.0RELEVANT REFERENCES:NU Data Access access.htmlCombined Regulation Text of All Rules (HHS ndex.htmlNIST SP 800-30 Rev. 1 Guide for Conducting Risk /SP/nistspecialpublication800-30r1.pdfNIST SP 800-53 Rev. 4 Security and Privacy blications/NIST.SP.800-53r4.pdfNIT HIPAA/ISO, ISO 27001/2 Information Security PAA-guidance.html
Title:Risk Management PolicyVIII.Page5 of 5Policy #Version: 1.0APPENDIX A: FSM IT Steering Committee ChargeCharge: The FSM IT Steering Committee will: Advise the Feinberg Dean on priorities, policies and procedures concerning the School’sInformation Technology (IT) and Information Security programRecommend for approval policies and procedures pertaining to the school’s IT and InformationSecurity programsProvide periodic review of IT and Information Security policies and procedures, consistent withUniversity and Feinberg guidelinesOversee Feinberg’s IT risk management processo Maintain Feinberg’s risk registryo Identify mitigation strategies to protect data, information, and intellectual propertyo Design, implement and monitor Feinberg’s IT risk management action plano Perform continual risk assessmentso Review and implement appropriate risk responses and remediation planso Serve as a formal input into Northwestern University’s enterprise risk management processReview requests for exceptions to standards, or deviations from policy or standard proceduresReview IT and Information Security metrics; recommend improvements or modifications, asappropriateCharter subcommittees or working groups as requiredMembership: The FSM IT Steering Committee will include: Feinberg Representatives:o Chief Information Officer (CIO)o Deputy CIOo Chief Information Security Officer (CISO)o Vice Dean for Scientific Affairs and Graduate Educationo Associate Dean for Administrationo Division Chief, Health and Biomedical InformaticsNorthwestern University Representativeso CIOo CISOTerm: To ensure continuity of operations, individuals will serve as long as they are in the positionsabove. Membership composition will be reviewed annually to ensure appropriate representation.Quorum: One-half of total membership plus one.
Risk Management Policy Page 2 of 5 Policy # Version: 1.0 IV. PROCEDURE STATEMENT Risk Categorization Information resources are categorized based on the sensitivity of data, impact from loss of data availability, and potential risk exposure from technical vulnerabilities and lack of user knowledge of policy and accepted data handling practices.
